Virtualization-based protection of code integrity must be enabled on domain-joined systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63603	WN10-CC-000080	SV-78093r1_rule		Medium

Description
Virtualization based protection of code integrity enforces kernel mode memory protections as well as protecting Code Integrity validation paths. This isolates the processes from the rest of the operating system and can only be accessed by privileged system software.

STIG	Date
Windows 10 Security Technical Implementation Guide	2015-11-30

Details

Check Text ( C-64353r2_chk )
Confirm virtualization-based protection of code integrity is running on domain-joined systems. For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "2" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Hypervisor enforced Code Integrity", this is finding. The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: HypervisorEnforcedCodeIntegrity Value Type: REG_DWORD Value: 1

Check Text ( C-64353r2_chk )

Confirm virtualization-based protection of code integrity is running on domain-joined systems.
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Run "PowerShell" with elevated privileges (run as administrator).
Enter the following:
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard"

If "SecurityServicesRunning" does not include a value of "2" (e.g., "{1, 2}"), this is a finding.

Alternately:

Run "System Information".
Under "System Summary", verify the following:
If "Device Guard Security Services Running" does not list "Hypervisor enforced Code Integrity", this is finding.

The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\

Value Name: HypervisorEnforcedCodeIntegrity
Value Type: REG_DWORD
Value: 1

Fix Text (F-69533r2_fix)
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enable Virtualization Based Protection of Code Integrity" selected. This selection is under the same policy that enables Credential Guard.

Fix Text (F-69533r2_fix)

For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enable Virtualization Based Protection of Code Integrity" selected.

This selection is under the same policy that enables Credential Guard.